Zero-day vulnerabilities, exploits, and attacks: All you should know

The term zero day alludes to the amount of time — zero days — that the software developer or vendor has been aware of the problem. And since the software is already in use, they have had zero days to address and patch the vulnerability.

In the best-case scenario, when someone discovers a zero day vulnerability, they report it to the software developers so they can fix it. Unfortunately, sometimes hackers get to the vulnerability first and exploit it before the developer has a chance to address it.

A zero-day vulnerability is a cybersecurity vulnerability in a piece of software or hardware yet to be discovered by its developers and vendors. This means there’s currently no way to plug the hole in security. It can be any vulnerability — a bug, lack of encryption, or missing authorizations. A zero-day vulnerability can pave the way for a zero-day exploit.

A zero-day exploit is a method or technique that criminals use to take advantage of a zero-day vulnerability. It’s a code, tool, or strategy that cybercriminals use to exploit the security flaw that’s yet to be discovered by its creators. The zero-day exploit is the means for carrying out a zero-day attack.

A zero-day attack is the implementation of the zero-day exploit. It’s the process of actively exploiting the vulnerability to achieve an unauthorized action — installing backdoors, injecting malware, or stealing sensitive information.

Hackers carry out zero-day attacks by detecting a security flaw in the software or hardware, then writing and implementing code to take advantage of the vulnerability before the developers have had a chance to patch it.

Successful zero-day attacks open access to the software or system for the attackers. By extension, these attacks also endanger the cybersecurity of the software users — hackers might steal their personal information and use it for illegitimate purposes.

For example, if attackers carried out a successful zero-day IoT attack on a smart building, its occupants could lose access to the building, and the attackers could steal the information about the occupant behavior and even disrupt the critical infrastructure, like cutting off the power or water supply.

Zero-day exploits and attacks are especially dangerous because the attackers are the only ones who know about the vulnerability. If the developers are unaware of the vulnerability, they have no defense for the upcoming attack, which makes the attack that much more effective.

It’s not only hackers looking to profit from a large organization’s weak cybersecurity. Hacktivists carry out attacks to draw attention to their political and social causes, while intelligence agencies around the world can also initiate zero day exploits.

Cybercriminals carry out zero-day attacks targeting operating systems, web browsers, office applications, hardware, firmware, and even Internet of Things (IoT) systems. The wide array of targets makes list of victims is respectively long:

• Large businesses and organizations.
• Government agencies.
• Critical infrastructure.
• Research institutions and universities.
• High-profile individuals, especially possessing valuable, sensitive information or who have access to vulnerable systems.

Dedicated cybersecurity firms and individual security researchers discover vulnerabilities and notify developers and vendors about the security flaws in their products. Some companies even offer bug bounty programs to people who can detect a flaw in their product and inform them about it. The vendor can then work out a patch for the vulnerability.

In addition, the cybersecurity community pools its knowledge in databases called CVE (Common Vulnerabilities and Exposures) to help combat these threats together. Once a zero-day vulnerability is discovered and poached, it’s no longer a zero-day threat.

Unfortunately, sometimes the hackers get to the flaws first. They sell zero-day exploits on the dark web and even share information on vulnerabilities in online cybersecurity forums and on social media.

Many infamous zero day-attack instances have occurred throughout modern history. Let’s take a look at some of the most notorious incidents.

Stuxnet was a computer worm that used different Windows zero-day vulnerabilities to target supervisory control and data acquisition (SCADA) systems.

The worm caused enormous damage to the nuclear program of Iran. It destroyed nearly a fifth of Iran’s nuclear centrifuges and infected a staggering 200,000 computers. It’s often described as one of the first cyber weapons because the perpetrators behind the worm are thought to be the United States and Israel.

The Sony hack in 2014 also tops the list as one of the most famous zero day exploits. During the Sony Pictures hack, criminals utilized a zero-day vulnerability to break into the company’s network and steal data.

Hackers later released the incredibly sensitive information, including copies of upcoming movies, the company’s plans for the future, business deals, and emails from Sony’s top management. What specific exploit the hackers used remains a mystery to this day.

Back in 2017, hackers found a vulnerability in Microsoft Word and developed the Dridex malware, which they then hid in MS Word attachments. Those who downloaded the file would activate the Dridex trojan. The dangerous bank fraud malware spread to millions of users worldwide.

In 2020, Firefox had a vulnerability that allowed hackers to place and execute code inside Firefox’s memory. This enabled criminals to run malicious code on any of their victims’ devices. The developers released an emergency patch, but not before some hackers managed to exploit it.

In 2020, Zoom faced two serious zero-day vulnerabilities. One allowed potential credential theft through a malicious link in Zoom chat on Windows. The other affected Macs — the vulnerability enabled attackers to gain root access and control of the user’s microphone and camera. Zoom quickly responded by releasing elevant patches.

2021 wasn’t great for Chrome in regard to zero-day exploits. The browser had to issue three emergency patches for zero-day vulnerabilities that year. One of the flaws could enable remote code execution and DDoS attacks on affected systems. 2022 saw another bout of Google Chrome zero-day attacks, but the vulnerabilities have been patched since.

So how do you protect yourself from a threat you don’t know about? Sometimes hackers use zero-day vulnerabilities alongside other attack methods, such as social engineering attacks. Here’s how to lower your risk of falling victim to a zero-day attack:

• Update your software ASAP. Software updates often contain patches for critical vulnerabilities.
• Stay informed. Vulnerability databases and bug bounty programs are vital in detecting flaws in your software.
• Be wary of phishing scams. Some zero day attacks only work when combined with other attacks. Don’t click on unknown links or email attachments — you may end up providing sensitive data to criminals.

Make sure you’re using a VPN and antivirus software to protect your device from potential cyber threats, such as malware that could open up a backdoor to your system. A VPN will help protect your company’s data and even block potential phishing sites. Here’s how:

• A VPN protects your company data. A VPN encrypts all online traffic, including app traffic, from every device connected to your network. If your staff are using their own unencrypted apps to send sensitive information, it could easily be intercepted and stolen by criminals.
• A VPN blocks phishing sites. NordVPN includes the Threat Protection feature, which blocks malicious malware-loaded sites. It also works to stop pop-up ads, which are notorious for spreading spyware and other file-stealing malware when clicked on. Threat Protection can scan your downloads and identify malware-ridden files.

Most organizations’ responses to cybersecurity incidents tend to be reactionary — responding to previously known threats. However, the problem with zero-day vulnerability is that, by the time you know what happened, it’s already too late.

The key to zero day protection is a proactive approach. Detection, data, and activity monitoring are some of the first steps in avoiding zero-day attacks.